Connecting to a Cluster Using kubectl

Scenario

This section uses a CCE cluster as an example to describe how to connect to a CCE cluster using kubectl.

Permission Description

When you access a cluster using kubectl, CCE uses the kubeconfig.json file generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user.

For details about user permissions, see Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based).

Using kubectl

Background

To connect a client to a Kubernetes cluster, you can use kubectl. For details, see Install Tools.

Prerequisites

If public network access is used, the kube-apiserver of the cluster will be exposed to the public network and may be attacked. You are advised to configure Advanced Anti-DDoS for the EIP of the node where the kube-apiserver is located.

Downloading kubectl

You need to download kubectl and configuration file, copy the file to your client, and configure kubectl. After the configuration is complete, you can use kubectl to access your Kubernetes clusters.

On the Kubernetes release page, click the corresponding link based on the cluster version, click Client Binaries, and download the corresponding platform software package.

Figure 1 Downloading kubectl

Installing and configuring kubectl

1. Log in to the CCE console, click Resource Management > Clusters, and choose Command Line Tool > Kubectl under the cluster to be connected.
2. On the Kubectl tab page of the cluster details page, connect to the cluster as prompted.
   

   • You can download the kubectl configuration file (kubeconfig.json) on the kubectl tab page. This file is used for user cluster authentication. If the file is leaked, your clusters may be attacked.
   • If two-way authentication is enabled for the current cluster and an EIP has been bound to the cluster, when the authentication fails (x509: certificate is valid), you need to bind the EIP and download the kubeconfig.json file again.
   • The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console.
   • If the KUBECONFIG environment variable is configured in the Linux OS, kubectl preferentially loads the KUBECONFIG environment variable instead of $home/.kube/config.

Calling Kubernetes Native APIs Through the API Server

You can use the API server of a Kubernetes cluster to call Kubernetes native APIs.

1. Log in to the CCE console. In the navigation pane, choose Resource Management > Clusters. Choose More > Download X.509 Certificate for the cluster to call APIs.

   

   Download the following certificates:

   • ca.crt
   • client.crt
   • client.key

2. On the cluster details page, obtain the API server address, as shown in the following figure.

   

   With the certificates and API server address, you can call Kubernetes native APIs.

   For example, if you run the curl command to call the API to view the pod information, you only need to carry the certificate in the command as follows:

   curl --cert ./client.crt --key ./client.key https://192.168.0.198:5443/api/v1/namespaces/default/pods/

Common Issue (Error from server Forbidden)

When you use kubectl to create or query Kubernetes resources, the following output is returned:

# kubectl get deploy Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "deployments" in API group "apps" in the namespace "default"

The cause is that the user does not have the permissions to operate the Kubernetes resources. For details about how to assign permissions, see Namespace Permissions (Kubernetes RBAC-based).